===== Tunnel without Security ===== Here's the respective man page excerpt: Example 1: A simple tunnel without security On may: openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 9 On june: openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 9 Now verify the tunnel is working by pinging across the tunnel. On may: ping 10.4.0.2 On june: ping 10.4.0.1 ===== Preshared Key Method ===== ==== Creating the Key ==== First of all, generate a random key like so: openvpn --genkey --secret key or maybe also: openvpn --genkey --cipher BF-CBC --keysize 128 --secret key show the possible arguments to''cipher'' and ''keysize'': openvpn --show-ciphers ==== Configuring the Peers ==== The remaining procedure is analogous to [[#Tunnel_without_Security|Tunnel without Security]] above, though with parameter ''--secret '': On may: openvpn --remote june.kg --dev tun1 --ifconfig 10.4.0.1 10.4.0.2 --verb 5 --secret key On june: openvpn --remote may.kg --dev tun1 --ifconfig 10.4.0.2 10.4.0.1 --verb 5 --secret key ===== Server with TLS ===== The following requires the existence of a CA. To generate one, refer to [[SSL]]. The TLS server needs a file with Diffie-Hellman parameters in PEM format. To create: openssl dhparam -out dh1024.pem 1024 Each peer requires a key/certificate pair. Begin with creating a CSR: openssl req -nodes -new -keyout mycert.key -out mycert.csr Then have the CA sign the request (mycert.csr): openssl ca -out mycert.crt -in mycert.csr To prevent DOS attacks, an additional TLS auth file may be shared between peers. An openvpn-generated preshared key serves well for that purpose: openvpn --genkey --secret key ===== Bridging vs. Tunneling ===== To create an interface which may be bridged, ''--dev tapX'' must be given. Arguments passed to '--ifconfig'' are then interpreted differently: ''--ifconfig ''. If the TAP device is supposed to be bridged, ''--ifconfig'' should be omitted entirely. ===== Performance-Tuning ===== ==== Less Security ==== Reducing crypto-induced overhead usually improves performance, though often there is a mandatory minimum security which prevents this from being a real alternative. ==== Reducing Log-Output ==== Especially embedded devices benefit from a low ''--verbose'' value. ===== Sample Configs ===== ==== Server ==== #local 10.0.0.1 tls-server mode server port 1194 proto udp dev tap #dev tun ca /etc/ssl/openvpn/cacert.pem cert /etc/ssl/openvpn/basecrt.pem key /etc/ssl/openvpn/base.key dh /etc/ssl/openvpn/dh1024.pem #server 10.4.0.0 255.255.255.0 #server-bridge 192.168.1.1 255.255.255.0 192.168.1.100 192.168.1.200 push "route 192.168.1.0 255.255.255.0" #push "route 192.168.20.0 255.255.255.0" #push "redirect-gateway" #push "dhcp-option DNS 192.168.1.23" push "dhcp-option DNS 192.168.1.1" keepalive 10 120 tls-auth /etc/ssl/openvpn/ta.key 0 # This file is secret max-clients 5 user nobody group nobody persist-key persist-tun verb 3 mute-replay-warnings ==== Client ==== tls-client dev tap proto udp #remote pr4x.ath.cx 1194 remote 10.0.0.1 ifconfig 192.168.1.21 255.255.255.0 route-gateway 192.168.1.1 redirect-gateway nobind user nobody group nobody persist-key persist-tun ca /etc/openvpn/cacert.pem cert /etc/openvpn/tinycrt.pem key /etc/openvpn/private/tinykey.pem #ns-cert-type server tls-auth /etc/openvpn/private/ta.key 1 #verb 6 verb 3